Microsoft Azure Certified Security Engineer AZ-500 Part 3
Question #: 81
Topic #: 2
HOTSPOT –
Your company has two offices in Seattle and New York. Each office connects to the Internet by using a NAT device. The offices use the IP addresses shown in the following table.
The company has an Azure Active Directory (Azure AD) tenant named contoso.com. The tenant contains the users shown in the following table.
The MFA service settings are configured as shown in the exhibit. (Click the Exhibit tab.)
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 82
Topic #: 5
HOTSPOT –
You have an Azure subscription that contains an Azure key vault named Vault1.
On January 1, 2019, Vault1 stores the following secrets. All dates are in mm/dd/yy format.
When can each secret be used by an application? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 83
Topic #: 7
You have an Azure subscription that contains an Azure Kubernetes Service (AKS) cluster named AKS1.
You have an Azure container registry that stores container images that were deployed by using Azure DevOps Microsoft-hosted agents.
You need to ensure that administrators can access AKS1 only from specific networks. The solution must minimize administrative effort.
What should you configure for AKS1?
A. authorized IP address ranges
B. an Application Gateway Ingress Controller (AGIC)
C. a private endpoint
D. a private cluster
Selected Answer: D
Question #: 84
Topic #: 1
Your company has an Azure Container Registry.
You have been tasked with assigning a user a role that allows for the uploading of images to the Azure Container Registry. The role assigned should not require more privileges than necessary.
Which of the following is the role you should assign?
A. Owner
B. Contributor
C. AcrPush
D. AcrPull
Selected Answer: C
Question #: 85
Topic #: 3
You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. Azure Automation State Configuration
C. security policies in Azure Security Center
D. device compliance policies in Microsoft Intune
Selected Answer: B
Question #: 86
Topic #: 6
You have an Azure subscription that contains the resources shown in the following table.
You plan to deploy an Azure Private Link service named APL1.
Which resource should you reference during the creation of APL1.
A. LB1
B. SQL1
C. VMSS1
D. VM1
Selected Answer: A
Question #: 87
Topic #: 6
DRAG DROP
–
You have an on-premises datacenter.
You have an Azure subscription that contains a virtual machine named VM1. VM1 is connected to a virtual network named VNet1. VNet1 is connected to the on-premises datacenter by using a Site-to-Site (S2S) VPN.
You plan to create an Azure storage account named storage1 and deploy an Azure web app named App1.
You need to ensure that network communication to each resource meets the following requirements:
• Connections to App1 must be allowed only from corporate network NAT addresses.
• Connections from VNet1 to storage1 must use the Microsoft backbone network.
• The solution must minimize costs.
What should you configure for each resource? To answer, drag the appropriate components to the correct resources. Each component may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 88
Topic #: 7
You have an Azure subscription that contains an Azure Data Lake Storage account named sa1.
You plan to deploy an app named App1 that will access sa1 and perform operations, including Read, List, Create Directory, and Delete Directory.
You need to ensure that App1 can connect securely to sa1 by using a private endpoint.
What is the minimum number of private endpoints required for sa1?
A. 1
B. 2
C. 3
D. 4
E. 5
Selected Answer: B
Question #: 89
Topic #: 1
Your company has an Azure Container Registry.
You have been tasked with assigning a user a role that allows for the downloading of images from the Azure Container Registry. The role assigned should not require more privileges than necessary.
Which of the following is the role you should assign?
A. Reader
B. Contributor
C. AcrDelete
D. AcrPull
Selected Answer: D
Question #: 90
Topic #: 3
You have an Azure subscription named Sub1. Sub1 contains a virtual network named VNet1 that contains one subnet named Subnet1.
Subnet1 contains an Azure virtual machine named VM1 that runs Ubuntu Server 18.04.
You create a service endpoint for Microsoft.Storage in Subnet1.
You need to ensure that when you deploy Docker containers to VM1, the containers can access Azure Storage resources by using the service endpoint.
What should you do on VM1 before you deploy the container?
A. Create an application security group and a network security group (NSG).
B. Edit the docker-compose.yml file.
C. Install the container network interface (CNI) plug-in.
Selected Answer: C
Question #: 91
Topic #: 5
You have an Azure web app named webapp1.
You need to configure continuous deployment for webapp1 by using an Azure Repo.
What should you create first?
A. an Azure Application Insights service
B. an Azure DevOps organization
C. an Azure Storage account
D. an Azure DevTest Labs lab
Selected Answer: B
Question #: 92
Topic #: 2
Your company plans to create separate subscriptions for each department. Each subscription will be associated to the same Azure Active Directory (Azure AD) tenant.
You need to configure each subscription to have the same role assignments.
What should you use?
A. Azure Security Center
B. Azure Policy
C. Azure AD Privileged Identity Management (PIM)
D. Azure Blueprints
Selected Answer: D
Question #: 93
Topic #: 2
HOTSPOT –
You have an Azure Container Registry named Registry1.
You add role assignments for Registry1 as shown in the following table.
Which users can upload images to Registry1 and download images from Registry1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 94
Topic #: 5
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops an application named App1. App1 is registered in Azure AD.
You need to ensure that App1 can access secrets in Azure Key Vault on behalf of the application users.
What should you configure?
A. an application permission without admin consent
B. a delegated permission without admin consent
C. a delegated permission that requires admin consent
D. an application permission that requires admin consent
Selected Answer: C
Question #: 95
Topic #: 6
You have an Azure subscription that contains the subnets shown in the following table.
The subscription contains an Azure web app named WebApp1 that has the following configurations:
• Region: West US
• Virtual network: VNet1
• VNet integration: Enabled
• Outbound subnet: Subnet11
• Windows plan (West US): ASP1
You plan to deploy an Azure web app named WebApp2 that will have the following settings:
• Region: West US
• VNet integration: Enabled
• Windows plan (West US): ASP1
To which subnets can you integrate WebApp2?
A. Subnet11 only
B. Subnet12 only
C. Subnet11 or Subnet12 only
D. Subnet12 or Subnet21 only
E. Subnet11, Subnet12, or Subnet21
Selected Answer: D
Question #: 96
Topic #: 7
You have an Azure subscription that uses Microsoft Defender for Cloud. The subscription contains an instance of Azure Database for PostgreSQL.
You need to ensure that an email alert is triggered when a suspected brute force attack on the database is detected. The solution must minimize administrative effort.
What should you configure?
A. the Azure Monitor activity log
B. an Azure Monitor alert rule
C. Microsoft Defender for open-source relational databases
D. the PostgreSQL Audit extension (pgAudit)
Selected Answer: C
Question #: 97
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your Company’s Azure subscription includes a virtual network that has a single subnet configured.
You have created a service endpoint for the subnet, which includes an Azure virtual machine that has Ubuntu Server 18.04 installed.
You are preparing to deploy Docker containers to the virtual machine. You need to make sure that the containers can access Azure Storage resources and Azure
SQL databases via the service endpoint.
You need to perform a task on the virtual machine prior to deploying containers.
Solution: You create an application security group.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 98
Topic #: 4
You have 10 virtual machines on a single subnet that has a single network security group (NSG).
You need to log the network traffic to an Azure Storage account.
What should you do?
A. Install the Network Performance Monitor solution.
B. Create an Azure Log Analytics workspace.
C. Enable diagnostic logging for the NSG.
D. Enable NSG flow logs.
Selected Answer: D
Question #: 99
Topic #: 3
You have Azure Resource Manager templates that you use to deploy Azure virtual machines.
You need to disable unused Windows features automatically as instances of the virtual machines are provisioned.
What should you use?
A. device configuration policies in Microsoft Intune
B. an Azure Desired State Configuration (DSC) virtual machine extension
C. application security groups
D. device compliance policies in Microsoft Intune
Selected Answer: B
Question #: 100
Topic #: 3
DRAG DROP –
You have an Azure subscription that contains the virtual networks shown in the following table.
The Azure virtual machines on SpokeVNetSubnet0 can communicate with the computers on the on-premises network.
You plan to deploy an Azure firewall to HubVNet.
You create the following two routing tables:
✑ RT1: Includes a user-defined route that points to the private IP address of the Azure firewall as a next hop address
✑ RT2: Disables BGP route propagation and defines the private IP address of the Azure firewall as the default gateway
You need to ensure that traffic between SpokeVNetSubnet0 and the on-premises network flows through the Azure firewall.
To which subnet should you associate each route table? To answer, drag the appropriate subnets to the correct route tables. Each subnet may be used once, more than once, or not at all. You may need to drag the split bar between panes or scroll to view content.
NOTE: Each correct selection is worth one point.
Select and Place:
Suggestion Answer:
Question #: 101
Topic #: 7
HOTSPOT
–
Your company uses cloud-based resources from the following platforms:
• Azure
• Amazon Web Services (AWS)
• Google Cloud Platform (GCP)
You plan to implement Microsoft Defender for Cloud.
On which platforms can you use Defender for Cloud to protect containers and storage? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 102
Topic #: 5
DRAG DROP –
Your company has an Azure Active Directory (Azure AD) tenant named contoso.com.
The company is developing an application named App1. App1 will run as a service on server that runs Windows Server 2016. App1 will authenticate to contoso.com and access Microsoft Graph to read directory data.
You need to delegate the minimum required permissions to App1.
Which three actions should you perform in sequence from the Azure portal? To answer, move the appropriate actions from the list of actions to the answer area and arrange them in the correct order.
Select and Place:
Suggestion Answer:
Question #: 103
Topic #: 6
You have an Azure subscription.
You need to deploy an Azure virtual WAN to meet the following requirements:
• Create three secured virtual hubs located in the East US, West US, and North Europe Azure regions.
• Ensure that security rules sync between the regions.
What should you use?
A. Azure Virtual Network Manager
B. Azure Front Door
C. Azure Network Function Manager
D. Azure Firewall Manager
Selected Answer: A
Question #: 104
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your Company’s Azure subscription includes a virtual network that has a single subnet configured.
You have created a service endpoint for the subnet, which includes an Azure virtual machine that has Ubuntu Server 18.04 installed.
You are preparing to deploy Docker containers to the virtual machine. You need to make sure that the containers can access Azure Storage resources and Azure
SQL databases via the service endpoint.
You need to perform a task on the virtual machine prior to deploying containers.
Solution: You create an AKS Ingress controller.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 105
Topic #: 2
You have an Azure subscription.
You create an Azure web app named Contoso1812 that uses an S1 App Service plan.
You plan to –
create a CNAME DNS record for www.contoso.com that points to Contoso1812.
You need to ensure that users can access Contoso1812 by using the https://www.contoso.com URL.
Which two actions should you perform? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. Turn on the system-assigned managed identity for Contoso1812.
B. Add a hostname to Contoso1812.
C. Scale out the App Service plan of Contoso1812.
D. Add a deployment slot to Contoso1812.
E. Scale up the App Service plan of Contoso1812.
F. Upload a PFX file to Contoso1812.
Selected Answer: BF
Question #: 106
Topic #: 4
You have an Azure subscription that contains the virtual machines shown in the following table.
From Azure Security Center, you turn on Auto Provisioning.
You deploy the virtual machines shown in the following table.
On which virtual machines is the Log Analytics Agent installed?
A. VM3 only
B. VM1 and VM3 only
C. VM3 and VM4 only
D. VM1, VM2, VM3, and VM4
Selected Answer: D
Question #: 107
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains the resources shown in the following table.
VNet1 connects to a remote site by using a Site-to-Site (S2S) VPN that uses forced tunneling.
VNet1 contains the subnets shown in the following table.
The SQL subnet contains SQL1.
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 108
Topic #: 3
HOTSPOT –
You have an Azure subscription. The subscription contains Azure virtual machines that run Windows Server 2016.
You need to implement a policy to ensure that each virtual machine has a custom antimalware virtual machine extension installed.
How should you complete the policy? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 109
Topic #: 4
HOTSPOT –
You plan to use Azure Log Analytics to collect logs from 200 servers that run Windows Server 2016.
You need to automate the deployment of the Microsoft Monitoring Agent to all the servers by using an Azure Resource Manager template.
How should you complete the template? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 110
Topic #: 1
Note: The question is included in a number of questions that depicts the identical set-up. However, every question has a distinctive result. Establish if the solution satisfies the requirements.
Your Company’s Azure subscription includes a virtual network that has a single subnet configured.
You have created a service endpoint for the subnet, which includes an Azure virtual machine that has Ubuntu Server 18.04 installed.
You are preparing to deploy Docker containers to the virtual machine. You need to make sure that the containers can access Azure Storage resources and Azure
SQL databases via the service endpoint.
You need to perform a task on the virtual machine prior to deploying containers.
Solution: You install the container network interface (CNI) plug-in.
Does the solution meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 111
Topic #: 5
Your company has an Azure subscription named Sub1 that is associated to an Azure Active Directory (Azure AD) tenant named contoso.com.
The company develops a mobile application named App1. App1 uses the OAuth 2 implicit grant type to acquire Azure AD access tokens.
You need to register App1 in Azure AD.
What information should you obtain from the developer to register the application?
A. a redirect URI
B. a reply URL
C. a key
D. an application ID
Selected Answer: A
Question #: 112
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have an Azure subscription named Sub1.
You have an Azure Storage account named sa1 in a resource group named RG1.
Users and applications access the blob service and the file service in sa1 by using several shared access signatures (SASs) and stored access policies.
You discover that unauthorized users accessed both the file service and the blob service.
You need to revoke all access to sa1.
Solution: You create a lock on sa1.
Does this meet the goal?
A. Yes
B. No
Selected Answer: B
Question #: 113
Topic #: 4
HOTSPOT –
You have an Azure subscription that contains the alerts shown in the following exhibit.
Use the drop-down menus to select the answer choice that completes each statement based on the information presented in the graphic.
NOTE: Each correct selection is worth one point.
Hot Area:
Suggestion Answer:
Question #: 114
Topic #: 1
You make use of Azure Resource Manager templates to deploy Azure virtual machines.
You have been tasked with making sure that Windows features that are not in use, are automatically inactivated when instances of the virtual machines are provisioned.
Which of the following actions should you take?
A. You should make use of Azure DevOps.
B. You should make use of Azure Automation State Configuration.
C. You should make use of network security groups (NSG).
D. You should make use of Azure Blueprints.
Selected Answer: B
Question #: 115
Topic #: 2
Note: This question is part of a series of questions that present the same scenario. Each question in the series contains a unique solution that might meet the stated goals. Some question sets might have more than one correct solution, while others might not have a correct solution.
After you answer a question in this section, you will NOT be able to return to it. As a result, these questions will not appear in the review screen.
You have a hybrid configuration of Azure Active Directory (Azure AD).
You have an Azure HDInsight cluster on a virtual network.
You plan to allow users to authenticate to the cluster by using their on-premises Active Directory credentials.
You need to configure the environment to support the planned authentication.
Solution: You deploy Azure Active Directory Domain Services (Azure AD DS) to the Azure subscription.
Does this meet the goal?
A. Yes
B. No
Selected Answer: A
Question #: 116
Topic #: 5
From the Azure portal, you are configuring an Azure policy.
You plan to assign policies that use the DeployIfNotExist, AuditIfNotExist, Append, and Deny effects.
Which effect requires a managed identity for the assignment?
A. AuditIfNotExist
B. Append
C. DeployIfNotExist
D. Deny
Selected Answer: C
Question #: 117
Topic #: 6
HOTSPOT
–
You have an Azure subscription that contains the virtual networks shown in the following table.
The subscription contains the subnets shown in the following table.
You plan to create an Azure web app named WebApp2 that will have the following configurations:
• Region: East US
• VNet integration: Enabled
• Scale out: Autoscale to up to 10 instances
For each of the following statements, select Yes if the statement is true. Otherwise, select No.
NOTE: Each correct selection is worth one point.
Suggestion Answer:
Question #: 118
Topic #: 1
Your company’s Azure subscription includes Windows Server 2016 Azure virtual machines.
You are informed that every virtual machine must have a custom antimalware virtual machine extension installed. You are writing the necessary code for a policy that will help you achieve this.
Which of the following is an effect that must be included in your code?
A. Disabled
B. Modify
C. AuditIfNotExists
D. DeployIfNotExists
Selected Answer: D
Question #: 119
Topic #: 3
You have an Azure subscription that contains the Azure virtual machines shown in the following table.
You create an MDM Security Baseline profile named Profile1.
You need to identify to which virtual machines Profile1 can be applied.
Which virtual machines should you identify?
A. VM1 only
B. VM1, VM2, and VM3 only
C. VM1 and VM3 only
D. VM1, VM2, VM3, and VM4
Selected Answer: A
Question #: 120
Topic #: 2
Your network contains an Active Directory forest named contoso.com. You have an Azure Active Directory (Azure AD) tenant named contoso.com.
You plan to configure synchronization by using the Express Settings installation option in Azure AD Connect.
You need to identify which roles and groups are required to perform the planned configuration. The solution must use the principle of least privilege.
Which two roles and groups should you identify? Each correct answer presents part of the solution.
NOTE: Each correct selection is worth one point.
A. the Domain Admins group in Active Directory
B. the Security administrator role in Azure AD
C. the Global administrator role in Azure AD
D. the User administrator role in Azure AD
E. the Enterprise Admins group in Active Directory
Selected Answer: CE
